我使用密码盐来哈希用户'注册时密码,在登录时也使用相同的方法,但它总是显示我不正确的密码请有人告诉我是什么错误。 如果我删除密码盐它将工作正常但我需要保护密码。
这是我的注册码
<?php
include($root . 'database_connection.php');
if (isset($_POST['formsubmitted'])) {
$username = $_POST['username']; //else assign it a variable
$email = $_POST['email'];
$password = $_POST['password'];
$salt = "@g26jQsG&nh*v";
$passcode = sha1($password.$salt);
$name = $username;
$pass = $passcode;
$mail = $email;
$query_insert_user = "INSERT INTO `users` ( `username`, `password`, `email`, `active`) VALUES ( '$name', '$pass', '$mail', '$numbers')";
$result_insert_user = mysqli_query($db_conn, $query_insert_user);
if (!$result_insert_user) {
echo 'Query Failed ';
}
mysqli_close($db_conn); //Close the DB Connection
} // End of the main Submit conditional.
?>
登录页面
<?php
if ($_POST) {
$salt = "@g26jQsG&nh*v";
$password = sha1($_POST['password'].$salt);
$logdb = new PDO('mysql:host=localhost;dbname=userdb', 'root', 'pass');
$logdb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $logdb->prepare("SELECT * FROM users WHERE username=:username AND password=:password");
$stmt->bindParam(":username", $_POST['username']);
$stmt->bindParam(":password", $password);
$stmt->execute();
$atributes = $stmt->fetch(PDO::FETCH_OBJ);
if ($atributes) {
session_start();
$username = $atributes->username;
$_SESSION['username'] = $username;
$active = $atributes->active;
$email = $atributes->email;
if($active==0){
echo '<table><td width="50px" valign="top"><i class="fa fa-ban mail2"></i></td><td><div>Authentication Error! Your account is not verified please verify your email.<br/>
<small>Need more help? Please contact the systems administrator.</small></div></td></table>';}
else{
header("location: index.php");
}
} else {
header("location: login.php?else=0&n");
//incorrect
}
}
else {
header("location: login.php?false=1&n");
echo '<form name="login" action="" method="POST">
Username: <br />
<input type="text" name="username"/><br />
Password: <br />
<input type="password" name="password"/><br />
<button type="submit">Login</button>
<a href="signup.php">Register</a></form>';
}
$logdb=null;
?>
答案 0 :(得分:1)
Php为密码散列和验证提供本机支持。请使用class GetUserGeo
{
protected $ip;
protected function getIpv()
{
return (filter_var($this->ip, FILTER_VALIDATE_IP,FILTER_FLAG_IPV4) !== false);
}
protected function getRemoteAddress()
{
$this->ip = (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];
return $this;
}
public function getUserCountry()
{
if (!class_exists('GeoIP'))
include_once("geoip.inc");
$ipv4 = $this->getRemoteAddress()->getIpv();
$path = WP_PLUGIN_DIR.'/location-specific-menu-items';
$gPath = ($ipv4)? '/GeoIP.dat' : '/V6GeoIP.dat';
$gi = \LSMIGeoIP\geoip_open($path.$gPath, GEOIP_STANDARD);
$country = \LSMIGeoIP\geoip_country_code_by_addr($gi, $this->ip);
\LSMIGeoIP\geoip_close($gi);
return (empty($country))? 'Could not retrieve your location' : $country;
}
}
function get_user_country()
{
$co = new GetUserGeo();
return $co->getUserCountry();
}
功能,因为它更安全,更易于使用。它可以选择与盐一起使用。
请参阅
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php
http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/
Sha1是一个受到妥协的算法,如果有人知道你的盐,他就可以破解密码。
注册码将更改为:
password_hash()登录代码
$passcode = password_hash($password, PASSWORD_DEFAULT); // leave the salt as this function will automatically generate a secure one for you
$name = $username;
$pass = $passcode;
答案 1 :(得分:0)
我在注册时使用密码盐加密用户密码
No you're not。你的代码说:
users.phpSHA1不是加密,它是一个哈希函数。 哈希不是加密。
哈希是一种单向函数,它接收无数个可能的值并将它们映射到有限数量的值,这样就很难从有限值返回到有限值。无限的。
这也是一种非常不安全的密码存储方式。见:How to safely store a password。 (另一个答案是正确的:使用$salt = "@g26jQsG&nh*v";
$passcode = sha1($password.$salt);
和password_hash()。)
此外:
password_verify()您的注册码不安全。您可能想要了解how to prevent SQL injection。而且application security in general就此而言。